How To Configure Apache 2.4 to Renew LetsEncrypt running WordPress and https

Published Date Author: , Posted August 21st, 2017 at 1:23:32pm

This post does not cover configuring letsencrypt or ssl/https.

First, make sure your LetsEncrypt configuration points to the actual WordPress document root directory

cat /etc/letsencrypt/renewal/www.yourdomain.com.conf

1
2
3
4
...
[[webroot_map]]
yourdomain.com = /volumes/data/www/yourdomain.com/prod/wordpress
www.yourdomain.com = /volumes/data/www/yourdomain.com/prod/wordpress
...
[[webroot_map]]
yourdomain.com = /volumes/data/www/yourdomain.com/prod/wordpress
www.yourdomain.com = /volumes/data/www/yourdomain.com/prod/wordpress

Second, use the new macro language feature in Apache 2.4 to configure an https redirect macro which does NOT redirect to https for anything in the .well-known subdirectory. This allows the renewal process to function via http with no redirect.

Apache Config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<Macro RedirectTo $protocol $domain>
  <If "%{REQUEST_URI} =~ m#^/\.well-known(/|$)#">
    # Do nothing
  </If>
  <ElseIf "tolower(req('Host')) != '$domain' || tolower(%{REQUEST_SCHEME}) != '$protocol'">
    Redirect permanent / $protocol://$domain/
  </ElseIf>
</Macro>
 
<VirtualHost *:80>
    ServerName www.yourdomain.com
    ServerAlias *yourdomain*
 
    DocumentRoot /volumes/data/www/yourdomain.com/prod/wordpress
    DirectoryIndex index.html index.php index.cgi
    ServerAdmin apache.admin@yourdomain.com
 
    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/yourdomain.com/prod/logs/www_errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/yourdomain.com/prod/logs/www_access.log 86400" combined
 
    Header set Access-Control-Allow-Origin *yourdomain.com
 
    Use RedirectTo https yourdomain.com
 
    <Directory "/volumes/data/www/yourdomain.com/prod/wordpress">
        AllowOverride all 
        Options +FollowSymLinks +ExecCGI
        Require all granted
        Order allow,deny
        Allow from all
    </Directory>
    <Files xmlrpc.php>
        Order allow,deny
        Deny from all
    </Files>
 
</VirtualHost>
 
<VirtualHost *:443>
...
</VirtualHost>
<Macro RedirectTo $protocol $domain>
  <If "%{REQUEST_URI} =~ m#^/\.well-known(/|$)#">
    # Do nothing
  </If>
  <ElseIf "tolower(req('Host')) != '$domain' || tolower(%{REQUEST_SCHEME}) != '$protocol'">
    Redirect permanent / $protocol://$domain/
  </ElseIf>
</Macro>

<VirtualHost *:80>
    ServerName www.yourdomain.com
    ServerAlias *yourdomain*

    DocumentRoot /volumes/data/www/yourdomain.com/prod/wordpress
    DirectoryIndex index.html index.php index.cgi
    ServerAdmin apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/yourdomain.com/prod/logs/www_errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/yourdomain.com/prod/logs/www_access.log 86400" combined

    Header set Access-Control-Allow-Origin *yourdomain.com

    Use RedirectTo https yourdomain.com

    <Directory "/volumes/data/www/yourdomain.com/prod/wordpress">
        AllowOverride all 
        Options +FollowSymLinks +ExecCGI
        Require all granted
        Order allow,deny
        Allow from all
    </Directory>
    <Files xmlrpc.php>
        Order allow,deny
        Deny from all
    </Files>

</VirtualHost>

<VirtualHost *:443>
...
</VirtualHost>

Lastly, make sure your wordpress/.htaccess file contains at least the following to ensure that files are served directly:

1
2
3
4
5
6
7
8
9
10
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.